1. Field of Art
The present invention relates generally to the field of data communications networks, and more particularly to data communications networks protected by cryptographic techniques (e.g., encryption). Still more particularly, the present invention relates to systems and methods for controlling the flow of data traffic in cryptographically-protected data communications networks.
2. Related Art
Data communications networks are typically comprised of a set of nodes (e.g., computers, routers and/or switches) connected by a set of interface links (e.g., wires, cable, fiber, microwave or radio wave channels, etc.). In a data communications network, a node is a connection point, either a redistribution point or an end point, for data transmissions. In general, a node (especially if the node is a switch or router) has a programmed or engineered capability to recognize, process and/or forward data traffic to other nodes.
A “router” is a device or, in some cases, software in a computer, that determines the next connection point to which a packet of data should be forwarded toward its final destination. A router is connected to at least two network interface links and determines which way to send each data packet based on its current understanding of the state of the links to which it is connected. A router may be located at any network gateway (where one network meets another), including, for example, host computers and points-of-presence on the Internet. Put another way, a router is a device or program that determines the route and specifically to which adjacent connection point in a network a data packet should be sent.
A router is often included as part of a network “switch,” which is also a network device that selects a path or circuit for sending a packet of data to its next destination. In general, however, a switch is a simpler and faster mechanism than a router. A router may create or maintain a table of available routes and their conditions and use this information, along with distance and cost algorithms, to determine the best route for a given data packet. Routers and switches may both be configured to implement schemes to control the network links used to transmit data packets to their destinations, as well as the order and speed in which data or data packets flow over a given link. However, switches are generally less sophisticated than routers in terms of the algorithms and the quantity and quality of network information it uses.
Often the links in a data communications network are “weighted” or assigned numeric values to reflect some functional, qualitative or quantitative aspect of each link, such as its capacity to transmit data traffic. These numeric values are often called link metrics. Conventional routers and switches use algorithms based on link metrics to determine the “best path” to send a data packet to its intended destination. Several well-known algorithms, such as Shortest Path First Routing (sometimes called Link State Routing), or Distance Vector Routing, and their many variants, for example, have been advantageously applied in the data communications industry to optimize routing of data traffic through data communications networks.
Some types of secure networks employ a technique called “link encryption.” Link encryption (also called “link level encryption” or “link layer encryption”) is a data security process for encrypting information at the data link level as it is transmitted between two points within a data communications network. In such networks, a data packet is considered to exist “in the clear” while it is still located in a first network routing device's memory. The data packet is encrypted before it is sent across the link from this first network routing device to a second network routing device, and then is decrypted as it is received at the second network routing device. It is again considered to be “in the clear” when it arrives in an unencrypted state in the second network routing device's memory. A given data packet may thus proceed hop by hop through the data communications network, being encrypted before it is sent across each link, and then decrypted after it is received from that link.
The actual link encryption and decryption of the data is generally performed by cryptographic devices and/or algorithms, known as “cryptos.” Link encryption typically requires a pair of collaborating cryptos—one at each end of a link. Cryptos may reside in the router, the switch or elsewhere in the data communications network as stand-alone devices, computers or computer programs.
In most cases, a pair of collaborating cryptos will share a secret encryption “key.” An encryption key typically comprises a variable value that is applied (according to an algorithm usually) to a string or block of unencrypted data to produce encrypted data, or applied to a string or block of encrypted data to produce unencrypted data. The length or number of bits in the encryption key is usually a significant factor in how difficult it will be for an unauthorized recipient of a an encrypted data packet to decrypt the data packet. Typically, an “upstream” crypto will use the encryption key to encrypt a packet's contents before the packet is transmitted across the link, and a “downstream” crypto will use the same encryption key to decrypt the packet upon receipt.
Often it is deemed undesirable to use the same encryption key for too long a period of time because the more traffic encrypted with a single encryption key, the easier the encryption code is to break. If an unauthorized person breaks the encryption code, then the security and/or integrity of the data traffic may be compromised. The more data traffic that has been encrypted with a given key, the more data traffic will be compromised if that encryption code is broken. Thus, encryption keys are often changed from time to time, e.g., weekly, daily, or even from minute to minute. Usually, when a key is changed, it must be changed at both the upstream and downstream cryptos. One approach is to change keys after a certain number of traffic bytes have passed through the crypto. For example, the two cryptos might be configured so that they switch to new encryption keys once five megabytes of data traffic has been encrypted (and/or decrypted) under the previous key. Alternatively, the keys may be updated periodically, for example once per hour. When using one of these approaches, the term “remaining encryption capacity” may be used to refer to the number of additional bytes of data traffic that can be encrypted, or the remaining amount of time that encryption may be applied on a link before all of the keys or key material currently on hand will be exhausted.
In the data communications network industry, many different techniques are used to supply cryptos with encryption keys. One common technique, appropriately termed “sneaker net,” is to have a trusted person carry the keys in some kind of physical container (such as a laptop computer or more specialized device) from one crypto to another. Another common technique employs mathematical algorithms and specialized cryptographic protocols, such as the well-known Diffie-Hellman Key Exchange Technique. A third technique that is now becoming more popular is quantum cryptography.
Quantum cryptography differs from traditional cryptographic systems in the sense that it depends more on physics, rather than mathematics, as the central aspect of its security model. Basically, quantum cryptography relies on the use of individual particles and waves of light (photons) and their intrinsic quantum properties to develop what is essentially an unbreakable encryption scheme—because it is impossible to measure the quantum state of any system without disturbing that system. It is theoretically possible that other particles could be used, but photons have been found to work very well for transmitting encryption key data. Moreover, photon behavior is relatively well-understood, and they are the information carriers in optical fiber cables, one of the most promising medium for extremely high-bandwidth data communications.
Each of the above-described techniques for supplying keys and key material to cryptos, including the quantum cryptography key distribution method, takes some time to employ. Thus, it is possible that the new key material will not be delivered in time, i.e., before too much time has passed using the old key, or before too many bytes of data traffic have been encrypted via the old key. While the link may continue to operate—it may be considered “insecure” or “degraded” because the data traffic can no longer be encrypted or because a particular key has been used longer than desired and therefore may no longer be trusted as secret. Alternatively, such links may be abruptly removed from service until new keys are supplied and made operational, thereby adding a measure of congestion and/or denied access to the data communications network.
Under these circumstances, it is frequently useful, if not absolutely necessary, to take advantage of the fact that some of the data or data packets queuing up to traverse a given network interface link are more important and/or more confidential than other data or data packets queuing up to use the same link. This situation might arise, for example, when the owner of the data traffic being transmitted has paid a premium to ensure that his or her data is handled with a higher priority, a higher degree of security, a faster delivery time, or some combination of all of the above. The negative consequences of trying to transmit higher-priority and highly-sensitive data traffic across unsecure, congested or inaccessible links may pose too great a risk in some data communications contexts. In a military context, for example, whether certain data transmissions reach their intended destination on time, with absolute secrecy and with unquestionable integrity could mean the difference between life and death. In these situations, it can be extremely beneficial, if not critical, to apply some method of “flow control” to the interface link.
“Flow control” is the management of data flow between computers or devices or between nodes in a data communications network so that the data is transmitted at an optimum rate and in a preferred order. Too much data arriving before a device or interface link can handle it can cause a queue overflow condition, meaning that some of the data is either lost or must be retransmitted. In a data communications network, flow control for a network interface link is usually implemented by changing the order of, slowing down or ceasing data transmissions across the network interface until any congestion in the interface eases. A related technique is often called “queue management.” Both techniques aim to differentially manage how a number of different data flows are scheduled onto a network interface for transmission.
A common way of implementing flow control for data communications is to use one of a variety of related methods collectively referred to as “Fair Queuing” or “Weighted Fair Queuing.” In this technique, different traffic flows are assigned their “fair share” of a network link, and a queue management algorithm is applied in order to select which data packet should next be transmitted, with the goal of giving each of the defined traffic flows their proportionate share of the link capacity. Another technique is sometimes called “Priority Queuing.” In this technique, the various traffic flows are assigned relative priorities, and all packets of a higher priority are sent before any packet of a lower priority can be sent.
Another method of flow control commonly used in data communications networks is called “Random Early Drop” or “Random Early Detection” (RED), which improves performance in networks using the Transmission Control Protocol/Internet Protocol (TCP/IP) suite, which is the main communications protocol used on the Internet. While IP takes care of handling the actual delivery of the data packets, TCP takes care of keeping track of the individual data packets for reliable delivery through the network. When all the packets in a transmission do not reach their destination (indicating that one or more intermediate links is unavailable or congested), TCP automatically decreases its data transmission rate. When all the packets in a data transmission reach their destination (indicating that the link has become available and/or not congested), TCP automatically increases its transmission rate. By randomly dropping data packets prior to or during periods of high congestion, and not dropping packets during periods of no or low congestion, RED takes advantage of TCP's automatic congestion control mechanism.
“Weighted RED” (WRED) flow control, which is a derivative of RED, generally drops packets selectively based on the values of certain fields contained in the packets, such as the Internet Protocol (IP) precedence field, the source and destination address fields, the protocol field, or any other fields capable of distinguishing different data flows. In the case of IP precedence, packets with a higher IP precedence are less likely to be dropped than packets with a lower IP precedence. Thus, higher priority traffic has a higher probability of being delivered to its destination than lower priority traffic. Although WRED is a very useful flow control technique to use on any network interface where congestion may be expected, it is usually used in the core (interior) network routing devices. Edge network routing devices typically assign IP precedence to data packets as they enter the network and the interior network routing devices use those IP precedence assignments to determine how the packets are routed. Notably, networks using WRED may be configured to ignore IP precedence when making data packet drop decisions, so that non-weighted RED behavior is achieved. Many other forms of flow control are also in use today.
Among other shortcomings, conventional flow control systems for data communications networks (including those described above) do not take remaining encryption capacity into account when making flow control (e.g., data pocket dropping) decisions. In other words, the links between nodes in an encrypted network are usually assumed to be encrypted, and all of the flow control decisions are based on link metrics having nothing to do with the remaining encryption capacity of the links. Consequently, data packets are ordered (usually on a first-in-first-out basis), queued and transmitted across interface links without regard to the fact that the link may soon become unsecure or taken out of service altogether because its encryption material is exhausted.
Accordingly, there is a need for systems and methods of controlling the flow of data traffic in cryptographically-protected networks where the remaining encryption capacity of links contained in the network is used to establish the optimal rate and order of data flows. The determination of the optimal rate and order of data flows may be based on a variety of data characteristics, such as the importance and/or sensitivity level of the data, source/destination address pairs, protocol fields, etc. There is a further need for such systems and methods to include routing programs and devices that generate, report and analyze remaining encryption capacity data and distribute the results to other routing programs and devices in the data communications network. The other routing programs and devices may then use the remaining encryption capacity data to help determine the optimal rate and order of data flows to other parts of the network.